05:26 PM
Connect Directly

Zeus/SpyEye 'Automatic Transfer' Module Masks Online Banking Theft

Automated attack bypasses two-factor authentication

A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone.

Security researchers at Trend Micro during the past few months have studied a dangerous new module for Zeus and SpyEye that automatically withdraws funds from a victim's account without the attacker having to monitor the process, even if it includes strong authentication. So far, the so-called automatic transfer systems (ATS) attacks are targeting banking customers in Europe, namely in Germany, England, and Italy, where two-factor authentication is used via SMS, for example.

"What we've seen in the last three months is significantly more advanced and the automation of bypassing two-factor authentication and perpetuating a man-in-the-browser attack," says Tom Kellermann, vice president of cybersecurity for Trend Micro. "It also has the capacity to move funds out of the [victim's] account so that the criminal doesn't have to sit there and wait or wait for communication from his bot. It's totally automated."

Kellermann says the fact that the bad guys have written such advanced tools to target the harder-to-crack European banking isn't "good tidings" for the U.S. "This could easily work on American [online banking systems]," which are not as stringent as European ones, he notes.

And with the ability to withdraw funds automatically, the attackers don't even need to use a money mule to transfer the funds unless they want to, he says. The malware targets Windows machines.

These types of attacks, however, are not new, says Amit Klein, CTO at Trusteer. "The concept is not new," he says. "We have seen this before, but not necessarily the framework" that Trend Micro has studied here, he says.

In one SpyEye attack Trusteer witnessed last fall against a Spanish bank, attackers waged a man-in-the-browser attack and put up a phony login page to bypass dual-factor authentication. Once the bank customer logged into his bank's website, the attacker pushed him a message about an "upgraded security system."

"The customer is invited to go through a training process that intends to help him/her deal with the bank's upgraded security system. As part of the training they’re asked to make a transfer, to a fictitious bank account, and confirm the transaction using the confirmation code that is sent by the bank to the registered mobile phone. Fraudsters claim that the user's account will not be debited and the recipient's account is fabricated. Of course, the transaction then happens, the money is transferred, and the criminal disappears off into the sunset," Klein described in a blog post last fall.

Klein says the trouble with these types of attacks is that once the user's machine is infected, it's game over. "There are a lot of inherent assumptions in online banking. You assume that you can trust the browser and the user's machine to carry out the user's online activities," he says. But all of that goes out the window when man-in-the-browser malware gets injected into the picture, and typically unbeknown to the victim, he says.

[ The prolific Zeus Trojan has a new role: as a tool for breaking into online corporate payroll systems. See Zeus Trojan Targets Online Payroll Services Providers. ]

Trend Micro researchers found that while traditional man-in-the-browser attacks for online banking fraud use WebInject files to push pop-ups to victims that then steal their online credentials, the new ATS module for Zeus and SpyEye operates in the background and isn't visible. It conducts a wire transfer of the victim's stolen funds without alerting the victim at all.

It hides out and doesn't leave any trace that the malware or attacker was there in the account; as long as the user's machine is infected with the module, he won't see any of the fraudulent transactions in his account.

"We're going to see a huge spike in this commoditized attack code for man-in-the browser because ... it does everything for [the attacker]," Kellermann says. "You [the victim] don't see anything: When money is moved out of your account, you don't see it. You only see your transactions ... It's elegant."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.